1. Software Security
Delivered in the
Cloud
HP Fortify on Demand: The quickest, most affordable way
to accurately test and score the security of any application
Solution guide
2. Table of contents
Executive summary 3
Testing third-party software 3
Testing internally developed software 3
How HP Fortify on Demand works 4
Correlation of static and dynamic results 6
Workflows 6
Three levels of dynamic testing 6
Security controls for HP Fortify on Demand 7
Product specifications 8
Integration with HP Fortify Software Security Center 8
Appendix: Fortify’s five-star security rating 8
2
3. Figure 1: The Executive Dashboard shows key results for your application testing projects from a single screen.
Executive summary This document describes in detail how HP Fortify
on Demand works and what it can accomplish for
HP Fortify on Demand is a Security-as-a-Service (SaaS) companies seeking to test the security of their software.
testing solution that allows any organization to test the
security of software quickly, accurately, affordably, Testing third-party software
and without any software to install or manage. This
automated on-demand service helps organizations with HP Fortify on Demand helps address two key scenarios:
two key challenges: 1. Vendor security management: Assessing third-party
software
• Ensuring the security of applications licensed from third For most organizations, third-party code represents a
parties large percentage of deployed software, and therefore
• Increasing the speed and efficiency of building a substantial area of potential risk. Yet most vendors
security into a development lifecycle provide little or no visibility into the security state of
their products. While improved vendor contracts can
HP Fortify on Demand serves the role of an independent,
provide some remedy in the case of a breach, ultimately
third-party system of record, conducting a consistent,
it’s better to avoid the problem altogether. Companies
unbiased analysis of an application and providing a
should ensure their third-party software is tested for
detailed tamper-proof report back to the security team.
vulnerabilities during the procurement or upgrade
Users simply upload their application binaries and/or
process, and request that critical issues be addressed
provide a URL for testing. HP Fortify on Demand can
prior to acceptance. However, software vendors are, for
conduct a static and/or dynamic test, verify all results,
a variety of reasons, resistant to having their software
and present correlated findings in a detailed interface
analyzed by anyone but themselves. Vendors are
and report.
concerned about providing access to their most precious
HP Fortify on Demand leverages the market-leading intellectual property—their source code. HP Fortify on
static analysis technology, HP Fortify Static Code Demand provides an easy-to-use SaaS-based approach
Analyzer (SCA) software, and the award-winning that doesn’t require source code and allows the vendor
dynamic analysis technology, HP WebInspect software. to test applications, resolve issues, and then publish a
Organizations can view security vulnerabilities in one report to the procurer. HP Fortify on Demand serves as
single dashboard, without installing software on- an independent third-party and system of record for
premise. HP Fortify on Demand is a highly secure SaaS conducting a consistent, unbiased analysis.
environment with robust security controls that assure all
sensitive uploads and other intellectual property remain Testing internally developed software
uncompromised. 2. Enterprise assessment management: Assessing
internal applications
Figure 2: HP Fortify on Demand won the “Best Security With internally developed applications, HP Fortify on
Solution” CODiE Award. Demand helps in two ways. For companies with a secure
development lifecycle already in place, HP Fortify on
Demand can provide a final test before deployment. For
organizations new to security, HP Fortify on Demand
can provide a quick and accurate test to baseline
applications and prioritize efforts to improve application
security.
3
4. “HP technology identifies potential security threats in software
through very deep analysis that ensures the software is safe to
deploy and the sensitive data and application behavior cannot be
compromised by hackers. HP Fortify on Demand is very easy to
use and gives great pointers on where a vulnerability is rooted in
the code so it can be quickly fixed.”
Anurag Khemka, President and CEO, RightWave, Inc.
How HP Fortify on Demand works HP Fortify on Demand supports 16 different languages—
see “product specifications” on the last page for the
HP Fortify on Demand tests the security of in-house or complete list.
third-party applications in four easy steps:
For dynamic analysis the user provides the URL for the
1. Login and upload applications application and any credentials necessary to access the
A new HP Fortify on Demand customer is given a private site. If the application is not externally facing, HP Fortify
account with secure login credentials. Role-based access on Demand can install a satellite appliance onsite, from
control allows administrators to see all projects and which the testing can run. HP can use a VPN client to
individual contributors to view only their projects. In gain access to the internal site.
the case of testing a vendor’s application, HP gives the
vendor an entirely separate account. 2. Comprehensive testing
HP Fortify on Demand provides comprehensive and
The user has the ability to kick off a static scan of the accurate testing. The static analysis leverages the
application code or a dynamic scan of a running web solution’s extensive Secure Coding Rulepacks, six
application. analysis engines, and patented X-Tier Dataflow analysis
For static analysis, the user uploads the executable to cover 100 percent of the code. The dynamic analysis
version of an application. HP Fortify on Demand leverages HP WebInspect. Dynamic testing experts from
doesn’t require source code. Examples of what may be HP combine automated and manual testing on a web
uploaded include: application that’s up and running. When the power of
both whitebox and blackbox security testing is applied
• A WAR or EAR file for Java to a web application, it results in a comprehensive
• A zip file of MSILs for .NET analysis of an application’s security posture.
• A zip file of the source files for PHP
Figure 3: Shown are the three key steps of the HP Fortify on Demand process.
1. 2. 3.
Upload Review
Test
Customer uploads HP Fortify on Demand conducts a thorough Customer reviews and analyzes the
software to the Cloud. application security test (dynamic, static or results of the application test in the form
manual) on the application. of a detailed report or dashboard.
4
5. After testing is complete, a software security auditor The user can also generate a detailed report, which
with a background in development and security reviews includes a wealth of information about the application,
the result set for accuracy. If there are any false positives, including the following:
the auditor removes these issues. If custom rules can • Application description provides an overview on the
be written to tailor the analysis to each individual type of application, its language, use case, data
application, the auditor will write these rules and then sensitivity and version.
re-test the application.
• HP Fortify Security on Demand Rating demonstrates
3. Results released quickly the application’s overall level of security. This is based
HP Fortify on Demand releases results as soon as they on a five-star rating system. One star represents
are ready. Static analysis results typically finish in one an application with significant security issues and
day, regardless of the application’s size. Dynamic five stars represent an application with no detected
analysis results may take longer, depending on the vulnerabilities. A full description of the rating system
size and complexity of the application. can be found in the appendix of this document.
Once testing and reviews are complete, HP Fortify • Prioritized set of vulnerabilities shows how many
on Demand emails the user and communicates that the critical, high, medium and low-priority issues were
results are ready. A user can login and view correlated found.
and prioritized results. • Remediation roadmap shows the effort it will take to
improve the security rating.
Figure 4: This executive summary page of the report provides
an overview of the security test. • Vulnerabilities by attack vector shows how each
identified vulnerability could be exploited.
• Most common vulnerabilities demonstrate what
vulnerabilities are most prevalent.
• Vulnerabilities by category includes a full list of all
vulnerabilities based on their type.
• Vulnerability details includes a complete list of all
vulnerabilities, with details about each. HP Fortify
on Demand provides helpful details about each
vulnerability, including the filename and line of code
(if the vulnerability was found statically), and the URL,
request, response and parameters (if the vulnerability
was found dynamically).
• Remediation guidance describes how each vulnerability
could be exploited and how to remediate it.
• PCI report helps companies demonstrate compliance
with the Payment Card Industry (PCI) Data Security
Standards (DSS).
• OWASP Top 10 shows all issues that fall in the OWASP
Top 10.
5
6. Figure 5: This summary view shows all issues identified based on the type of vulnerability, and whether they were found via static
analysis (blue) or dynamic analysis (yellow).
Correlation of static and dynamic results −−HP conducts thorough testing and works with the
vendor to resolve issues.
HP Fortify on Demand is the only SaaS-based solution
−−When ready, the vendor publishes a summary report
to offer true correlation of static and dynamic results. If
to the procurer, demonstrating the security posture of
a customer selects both a static and dynamic scan of an
the application.
application, all results will be correlated in order to help
prioritize issues and reduce the time to investigate and • Working with internal developers, quality assurance
fix issues. (QA) professionals or security managers to ensure
internally developed code is secure:
If the same type of vulnerability is found at the same URL
−−Security managers provide logins to all HP Fortify
both statically and dynamically, HP Fortify on Demand
on Demand users (most likely developers or security
automatically puts these results together, helping users
auditors).
investigate issues more easily and prioritize efforts.
−−Each user logs in and uploads the application and/
The HP Fortify on Demand dashboard also provides or provides a URL.
summary correlation information, showing which
−−HP conducts thorough testing and releases results.
vulnerabilities were found only statically, only
dynamically, or with both analysis techniques. This −−All results are summarized in one core dashboard.
summary information helps present the relative To speed the process and keep customers informed of
importance and value of each technique. In some cases status, HP Fortify on Demand sends email notifications
the overlap between the two testing methodologies is whenever an application has been uploaded and when
very high, while at other times the overlap is minimal. results are ready for viewing.
Only HP Fortify on Demand provides true correlation,
helping a company understand what the tests are finding
Three levels of dynamic testing
and speed the time to remediation. HP Fortify on Demand offers multiple options for
licensing. For both static and dynamic analysis, a user
Workflows can purchase individual scans or one-year subscriptions
for unlimited scanning per application. For dynamic
HP Fortify on Demand has two core uses cases—working
analysis, a user can choose among three different testing
with third parties to assess third-party code and working
levels (Premium, Standard or Baseline). Each is designed
with internal developers or security managers to ensure
for different use cases and offers varying levels of
internally developed code is secure. The workflow is
testing. A description of each is below:
very similar in both cases. Below is an overview of both
workflows: • Premium
• Working with third parties to assure that their software −−An automated and manual testing solution for
is secure: websites that are permanent, mission-critical, have
−−The vendor and the procurer receive separate HP rigorous compliance requirements, and in which the
Fortify on Demand accounts and establish a secure company relies on serving its customers or business
link between their accounts. partners and has multi-step form-based processes
−−The vendor uploads its executable and/or provides −−Includes testing for both technical and business logic
a URL. vulnerabilities
6
7. HP Fortify on Demand key advantages
• Best-of-breed static and dynamic analysis
• True correlation between static- and dynamic-analysis results
• All results manually reviewed by application security experts
• Flexibility for customers to easily migrate to on-premise solution
• Experienced security research team
−−Uncovering business logic vulnerabilities requires • Baseline
manual review by website security experts −−An automated solution for websites that are seasonal
who are capable of understanding things like or temporary in nature
account structures and the contextual logic in web
−−All results are manually reviewed by security experts
applications
to remove any false positives
−−All results are manually reviewed by security experts
to remove any false positives Security controls for HP Fortify on
• Standard Demand
−−An automated solution for websites that are a HP Fortify on Demand was designed and developed
permanent fixture in a customer’s online experience following industry best practices for secure SaaS solution
and have multi-step form-based processes, but are deployment.
not necessarily mission-critical
−−Includes testing for technical vulnerabilities The solution is physically housed in a Tier 4 A+
datacenter featuring multiple redundant power and
−−Includes the use of multiple automated and manual network feeds and “five nines” uptime. The datacenter
testing solutions is compliant with SAS 70 Type II, ITIL, ISO-17799
−−All results are manually reviewed by security experts and SunTone. It has 24x7x365 security using closed-
to remove any false positives circuit television (CCTV). All datacenter employees are
background-checked and all access is supervised. All
Figure 6: This table shows a comparison of the three testing levels of dynamic analysis
doors require PIN, magnetic card and biometric retina
available via HP Fortify on Demand.
scans before granting access. The datacenter has
redundant power systems with backup generators and
HP Fortify on Demand Dynamic Baseline Standard Premium double-conversion uninterruptible power supplies (UPSs).
Kickoff HP Fortify on Demand features world-class software
Planning objectives x x x security built with the same technology as HP Fortify
Credentials x x x Software Security Center, including hardened operating
Prepare environment x x x
systems and open-source components. Independent
third-party consulting firms conduct code reviews and
Prepare
pen tests on every major release.
Create login script x x x
Scan configuration x x x
HP Fortify on Demand has browser-to-system Secure
Sockets Layer (SSL) encryption for data protection. All
Application discovery x x x
data, including intellectual property and analysis results,
Application discovery with manual crawl x x
is encrypted with data-at-rest encryption technologies.
Execute All hard drives and storage systems are useless outside
Automated application scanning x x x the HP Fortify datacenter environment.
False positive removal x x x
A virtual private database is used to ensure separation
Bypass client controls x x between customers. The database is setup as a virtual
Attack authentication x x per-client relational database management system
Attack session management x x (RDBMS) instance with database encryption, ensuring
that users can only access their own data in their own
Attack access control x x
database.
Injection attack x x
Attack server, or hijack user privileges x x
For more information on the security of HP Fortify on
Demand, please see the whitepaper, “HP Fortify on
Advance fuzzing x
Demand: Security Controls in Place,” available upon
Application logic x request (taylor.mckinley@hp.com).
Manual penetration test x
Report
Summary x x x
Recommendations x x x
7